CVE-2025-13609
Published: 24 November 2025
Description
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Security Summary
CVE-2025-13609 is a vulnerability in keylime that allows an attacker to register a new agent using a different Trusted Platform Module (TPM) device while claiming the unique identifier (UUID) of an existing legitimate agent. This overwrites the legitimate agent's identity, enabling the attacker to impersonate the agent and potentially bypass security controls that rely on agent identity verification. Published on 2025-11-24, the issue is scored 8.2 under CVSS v3.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L) and maps to CWE-694.
The attack requires network access, low complexity, no user interaction, and high privileges (PR:H), with a scope change (S:C). A privileged attacker can exploit this by performing the malicious registration, achieving high integrity impact (I:H) through impersonation, along with low confidentiality (C:L) and availability (A:L) impacts, potentially undermining keylime's attestation and integrity measurement mechanisms.
Red Hat has issued multiple errata addressing CVE-2025-13609, including RHSA-2025:23201, RHSA-2025:23210, RHSA-2025:23628, RHSA-2025:23735, and RHSA-2025:23852, which provide mitigations such as updated keylime packages for affected Red Hat products.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability directly enables impersonation of legitimate Keylime agents by overwriting their UUID registration with a different TPM (T1656), facilitating the abuse of valid agent accounts/identities (T1078) and exploitation for defense evasion by bypassing attestation security controls (T1211).